Generate Local .NET Secrets from Azure Deployments

Frank Boucher

Often sample projects starts with a few “magic strings”, those variables contains URLs and key information related to a deployment or external resources that we will have to change to use the sample. As an example in .NET it could look like this:

string openAIEndpoint = "https://";
string openAIDeploymentName = "my-ai-model";
string openAiKey = "123456abcd789EFGH";
// ...

This post shows how you to automatically generate .NET secrets from the Azure deployment and how your .NET app can read them. Users who would like to try your sample won’t have to edit anything anymore! They will only have to deploy using azd up, and then dotnet run to execute the app. Sound interesting? Here are to implement it.

The code for the entire project can be found on GitHub, in the fboucher/hikerai.

The Preparation

Bicep is a language for creating infrastructure definitions for Azure resources that you want to deploy. Since these resources will have information like endpoints or model names, we want a way to export those, and in Bicep we use the output syntax:

// some bicep deployment...

output AZURE_OPENAI_KEY string = ai.outputs.AZURE_OPENAI_KEY

With the Azure Developer CLI (azd) the command azd env get-values returns all those values in list of key-paired values. A PowerShell or Bash script could read those and create new .NET secrets using the command dotnet user-secrets set. Here the script postprovision.ps1.

function Set-DotnetUserSecrets {
    param ($path, $lines)
    cd $path
    dotnet user-secrets init
    dotnet user-secrets clear
    foreach ($line in $lines) {
        $name, $value = $line -split '='
        $value = $value -replace '"', ''
        $name = $name -replace '__', ':'
        if ($value -ne '') {
            dotnet user-secrets set $name $value | Out-Null

$lines = (azd env get-values) -split "`n"
Set-DotnetUserSecrets -path "." -lines $lines

This script start by creating a function Set-DotnetUserSecrets that takes two parameters. The first parameter $path will be used so the script can change directory to that location. This is essential to make sure the secrets are created where needed. The second parameter $lines contains all the substring where key-paired values are saved (ex: VARIABLE_NAME=”variable_value”). The script loops through all lines to isolate the names and the values and create a secret for each of them dotnet user-secrets set $name $value.

On the two last lines, the script retrieves the environment variable generated by the outputs using azd env get-values and split the result in substring. It will finally call the function Set-DotnetUserSecrets declared previously passing the the path and lines. A version of the script is also available in the repository.

To execute the script after the deployment we need to add a post provision hook into the azure.yaml file. The azure.yaml is the schema that defines and describes the apps and types of Azure resources that are included in a project. Here how it looks.

      shell: pwsh
      run: ./infra/post-script/postprovision.ps1
      interactive: true
      continueOnError: true

The deployment

Execute your deployment using Azure CLI Developer CLI command azd up. You can use the code of HikerAI available at fboucher/hikerai. Once you clone or download the repository, make sure you are at the root directory, to deploy the solution.

To test that the secrets have been created used the command dotnet user-secrets list.

result of the secrets-list command

Use the Secrets

Using the NuGet package Microsoft.Extensions.Configuration, the application will be able to read the user secrets. You can now replace those magic strings.

// == Retrieve the local secrets saved during the Azure deployment ==========
using Microsoft.Extensions.Configuration;

var config = new ConfigurationBuilder().AddUserSecrets<Program>().Build();
string openAIEndpoint = config["AZURE_OPENAI_ENDPOINT"];
string openAIDeploymentName = config["AZURE_OPENAI_GPT_NAME"];
string openAiKey = config["AZURE_OPENAI_KEY"];



This post shared a few tips to replace “magic strings” by user secrets that can be automatically generates from the Azure deployment outputs. Try it in your solution or with our sample available ay fboucher/hikerai in the HikerAI folder.



Leave a comment

  • Jerry Richards 0

    With VS 2022 17.9.3 I can create and debug the WinUI 3 project templates. However, the .NET MAUI 8.0 fails to deploy and break at the breakpoint. Can someone confrm if they have the encounter the problem too?

  • Erik O'Leary 1

    I believe it’s actually bad practice to output secrets from bicep files, so probably nobody should actually do this; use a vault to store your secrets – Bicep will probably give you this warning

    • Frank BoucherMicrosoft employee 1

      You are right @Erik O’Leary for any production deployment, but here it’s about easing demo and local development… KeyVault is the way to go when dealing with production or business deployment.

Feedback usabilla icon